-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support forward client cert config XFCC header #3202
feat: support forward client cert config XFCC header #3202
Conversation
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
…struct Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@zhaohuabing @arkodg @guydc moving XFCC configuration to tls.clientvalidation and put mode & XFCC data selection when forwarding into 1 struct. please help review |
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
hey @zufardhiyaulhaq a few comments have been added, with those addressed, this PR should be good be be merged |
Hi @arkodg sorry been of for a while, will work on this. |
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks !
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@arkodg please help review, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding some comments, basically LGTM
internal/xds/translator/listener.go
Outdated
if in != nil { | ||
if in.ForwardClientCert != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we merge these conditions? just to simplify the code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we can merge this, there is possibility that headers is nil.
internal/xds/translator/listener.go
Outdated
if in == nil { | ||
return nil | ||
} | ||
|
||
if in.ForwardClientCert == nil { | ||
return nil | ||
} | ||
|
||
if len(in.ForwardClientCert.CertDetailsToAdd) == 0 { | ||
return nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we can merge this, there is possibility that headers & forwardclientcert is is nil.
// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header | ||
// +kubebuilder:validation:MaxItems=5 | ||
// +optional | ||
CertDetailsToAdd []ClientCertData `json:"certDetailsToAdd,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we check the uniqueness of its element?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kubebuilder is not supporting checking unique of this elements
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks for addressing the changes !
@zufardhiyaulhaq can you run |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3202 +/- ##
=======================================
Coverage 67.36% 67.36%
=======================================
Files 166 166
Lines 19213 19293 +80
=======================================
+ Hits 12942 12996 +54
- Misses 5342 5365 +23
- Partials 929 932 +3 ☔ View full report in Codecov by Sentry. |
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
|
||
// Envoy Proxy mode how to handle the x-forwarded-client-cert (XFCC) HTTP header. | ||
// +kubebuilder:validation:Enum=Sanitize;ForwardOnly;AppendForward;SanitizeSet;AlwaysForwardOnly | ||
type ForwardMode string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ForwardMode might be a bit vague here since it's a package-wide type. Perhaps adding a XFCC
prefix could enhance clarity.
type ForwardMode string | |
type XFCCForwardMode string |
|
||
const ( | ||
// Do not send the XFCC header to the next hop. This is the default value. | ||
ForwardModeSanitize ForwardMode = "Sanitize" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, and the rest of modes.
ForwardModeSanitize ForwardMode = "Sanitize" | |
XFCCForwardModeSanitize XFCCForwardMode = "Sanitize" |
// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header | ||
// By default, x-forwarded-client-cert (XFCC) will always include By and Hash data | ||
// +kubebuilder:validation:Enum=Subject;Cert;Chain;Dns;Uri | ||
type ClientCertData string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
type ClientCertData string | |
type XFCCCertData string |
|
||
const ( | ||
// Whether to forward the subject of the client cert. | ||
ClientCertDataSubject ClientCertData = "Subject" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, and the rest of constants.
ClientCertDataSubject ClientCertData = "Subject" | |
XFCCCertDataSubject XFCCCertData = "Subject" |
) | ||
|
||
// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header | ||
// By default, x-forwarded-client-cert (XFCC) will always include By and Hash data |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be useful to clarify what is Hash
and By
in the comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's get this in and address the comments in a follow-up PR.
What type of PR is this?
configure envoy gateway to propagate XFCC header
What this PR does / why we need it:
this can be used to authorize client based on certificate from XFCC header
Which issue(s) this PR fixes:
#2599